All runtime configuration for the Wazuh Docker Compose stack is driven by a singleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
.env file located in the project root. Docker Compose reads this file automatically, and wazuh-dev.sh also sources it directly during its pre-deployment checks. Before your first deployment, copy the example file to .env and edit it with your environment’s values:
.env.example are reproduced below for reference:
Network Configuration
Name of the Docker network created for the Wazuh stack. All services attach to this network so they can reach each other by hostname.
CIDR block assigned to the Docker network. Choose a range that does not overlap with any existing networks on the host.
Gateway address for the Docker network subnet. Must fall within the
SUBNET range.Path to the project root directory. Used internally by
wazuh-dev.sh when resolving relative file paths. The default . means “the directory from which the script is run,” which should be the repo root.Server Address
The IP address or hostname of the host running the Wazuh Manager. Remote agent deployments use this value to point their
AGENT_MANAGER_SERVER variable at the correct host. Update this to match your actual server address.Indexer Credentials
OpenSearch admin username. Used by both the Manager (via Filebeat) and the Dashboard to authenticate API requests to the Indexer on port 9200. Also used in the Indexer’s own health check.
Password for
INDEXER_USERNAME. The example value is _S1M0V1L48_T7G_2025_.*-. Change this to a strong, unique password in your deployment. Injected as an environment variable into the wazuh.manager and wazuh.dashboard containers.API Credentials
Username for the Wazuh REST API. The Dashboard uses this credential to query the Manager API on port 55000.
wazuh-dev.sh writes this value into config/wazuh_dashboard/wazuh.yml before deploying.Password for
API_USERNAME. The example value is MyS3cr37P450r.*-. This password is written into config/wazuh_dashboard/wazuh.yml by wazuh-dev.sh at deployment time.The
$ character is explicitly disallowed in both API_PASSWORD and API_USERNAME. The wazuh-dev.sh script validates these values and exits with an error if a $ is found, because the sed substitution used to write them into wazuh.yml would be corrupted by shell variable expansion.Dashboard Credentials
Username for the Wazuh Dashboard’s internal Kibana server account. This account is used by the Dashboard’s backend process to communicate with the Indexer — it is distinct from the end-user login. The default
kibanaserver corresponds to the built-in OpenSearch Dashboards service account.Password for
DASHBOARD_USERNAME. The example value is kibanaserver. Change this in production.Agent Settings
Hostname to assign to the co-located
wazuh.agent container. This becomes the agent’s registered name in the Wazuh Dashboard. If this is set to localhost, wazuh-dev.sh automatically substitutes the actual system FQDN returned by hostname -f.Numeric GID of the
docker group on the host. The agent container is added to this group (via group_add) so it can read /var/run/docker.sock for Docker event monitoring without running as root. wazuh-dev.sh detects this automatically with getent group docker | cut -d: -f3 and exports it before calling docker compose.Custom Admin User
Username of a new (or existing) OpenSearch admin user to create or update in
config/wazuh_indexer/internal_users.yml. If the user already exists in the file, only the password hash is updated. If the user does not exist, a new entry is appended with backend_roles: ["admin"].Plain-text password for The resulting bcrypt hash is what gets written into
MY_USERNAME. wazuh-dev.sh never stores this in plain text — it is immediately hashed using the Wazuh Indexer image’s built-in hash tool:internal_users.yml.Certificate Generator
Path to the Docker Compose file used by the certificate generator step.
wazuh-dev.sh uses this value to locate the file before running docker compose -f $GENERATE_INDEXER_FILE run --rm generator. Change this only if you have moved or renamed the generator compose file.Timezone
IANA timezone string passed to all containers via their
environment blocks. Setting a consistent timezone ensures that log timestamps across the Indexer, Manager, and Dashboard are aligned. Example value: America/Bogota. Also consumed by the certificate generator container.Post-install Script
Relative path (from the project root) to a shell script that the
wazuh-init init container runs after the Dashboard becomes healthy. The init container definition is currently commented out in docker-compose.yml. When enabled, it uses an alpine/curl image to execute this script. wazuh-dev.sh validates that this path exists on disk before proceeding with a server deployment.Additional Variable
Docker image tag for an optional NGINX reverse-proxy container. This variable is present in
.env.example for use in extended stack configurations. It is not consumed by the default docker-compose.yml server stack.